The Param Digger is a tool that can be used for parameter discovery. It identifies hidden, unlinked, and “obscure” parameters that can be useful for increasing the attack surface, thus easing the process of finding vulnerabilities. It uses a given URL as a seed and performes brute force guessing attacks to identify parameters. It’s primarily based on James Kettle’s research and implementation: Practical Web Cache Poisoning and Web Cache Entanglement.
The Param Digger can be configured and started using the Param Digger dialog.
It provides:
A menu item under the top level ‘Tools’ menu.
A basic status panel.
An API component that adds an action endpoint.